cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Parse string in Azure Sentinel

SiddharthRajD
Copper Contributor

‎Feb 01 2022 04:58 AM - last edited on ‎Apr 08 2022 10:58 AM by

‎Feb 01 2022 04:58 AM - last edited on ‎Apr 08 2022 10:58 AM by

Parse string in Azure Sentinel

Hello, we want to parse out the "subscription ID" as a field from the following string. Please let me know how can I do that?

 

Column Namestring

privateLinkServiceId_

/subscriptions/"SubsriptionID"/resourceGroups/"RG-Name"/providers/Microsoft.Storage/storageAccounts/"Name"

 

Existing query  ( please suggest what needs to be appended) :

 

AzureActivity | search "entity"
| extend privateLinkServiceId_ = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).properties)).privateLinkServiceConnections))[0].properties)).privateLinkServiceId)

Labels:
2,074 Views
0 Likes
1 Reply
Reply
1 Reply
Clive_Watson

‎Feb 01 2022 08:02 AM

‎Feb 01 2022 08:02 AM

Re: Parse string in Azure Sentinel

@SiddharthRajD 

 

AzureActivity 
| extend entity_ = tostring(parse_json(Properties).entity)
| where isnotempty(entity_)
| parse entity_ with * '/subscriptions/' subscription_ '/' *
| project subscription_

However SubscriptionId is already a column in that Table, so you can just do 

AzureActivity
| extend entity_ = tostring(parse_json(Properties).entity)
| where isnotempty(entity_)
| project SubscriptionId


 

0 Likes
Reply